ping of death

Reprints On the Internet, ping of death is a denial of service (DoS) attack caused by an attacker deliberately sending an IP packet larger than the 65,536 bytes allowed by the IP protocol. One of the features of TCP/IP is fragmentation; it allows a single IP packet to be broken down into smaller segments. In 1996, attackers began to take advantage of that feature when they found that a packet broken down into fragments could add up to more than the allowed 65,536 bytes.

Many operating systems didn't know what to do when they received an oversized packet, so they froze, crashed, or rebooted. Ping of death attacks were particularly nasty because the identity of the attacker sending the oversized packet could be easily spoofed and because the attacker didn't need to know anything about the machine they were attacking except for its IP address. By the end of 1997, operating system vendors had made patches available to avoid
the ping of death. Still, many Web sites continue to block Internet Control Message Protocol (ICMP) pingmessages at their firewalls to prevent any future variations of this kind of denial of service attack. Ping of death is also known as "long ICMP."

mail bomb

Reprints A mail bomb is the sending of a massive amount of e-mail to a specific person or system. A huge amount of mail may simply fill up the recipient's disk space on the server or, in some cases, may be too much for a server to handle and may cause the server to stop functioning. In the past, mail bombs have been used to "punish" Internet users who have been egregious violators of netiquette (for example, people using e-mail for undesired advertising, orspam). Mail bombs not only inconvenience the intended target but they are also likely to inconvenience everybody using the server. Senders of mail bombs should be wary of exposing themselves to reciprocal mail bombs or to legal actions.

distributed denial-of-service attack (DDoS)

Reprints

A distributed denial-of-service (DDoS) attack is one in which a multitude of compromised systems attack a single target, thereby causing denial of service for users of the targeted system. The flood of incoming messages to the target system essentially forces it to shut down, thereby denying service to the system to legitimate users. In a typical DDoS attack, a hacker (or, if you prefer, cracker) begins by exploiting a vulnerability in one computer system and making it the DDoS master. It is from the master system that the intruder identifies and communicates with other systems that can be compromised. The intruder loads cracking tools available on the Internet on multiple -- sometimes thousands of -- compromised systems. With a single command, the intruder instructs the controlled machines to launch one of many flood attacks against a specified target. The inundation of packets to the target causes a denial of service. While the press tends to focus on the target of DDoS attacks as the victim, in reality there are many victims in a DDoS attack -- the final target and as well the systems controlled by the intruder. Although the owners of co-opted computers are typically unaware that their computers have been compromised, they are nevertheless likely to suffer degradation of service and malfunction. Both owners and users of targeted sites are affected by a denial of service. Yahoo, Buy.com, RIAA and the United States Copyright Office are among the victims of DDoS attacks. DDoS attacks can also create more widespread disruption. In October 2010, for example, a massive DDoS attack took the entire country of Myanmar offline. A computer under the control of an intruder is known as a zombie or bot. A group of co-opted computers is known as a botnet or a zombie army. Both Kaspersky Labs and Symantec have identified botnets -- not spam, viruses, or worms -- as the biggest threat to Internet security.

The SYN flood attack sends TCP connections requests

faster than a machine can process them.

attacker creates a random source address for each packet SYN flag set in each packet is a request to open a new connection to the server from thespoofed IP address victim responds to spoofed IP address, then waits for confirmation that never arrives (waits about 3 minutes) victim's connection table fills up waiting for replies after table fills up, all new connections are ignored legitimate users are ignored as well, and cannot access the server

once attacker stops flooding server, it usually goes back to normal state (SYN floods rarely crash servers) newer operating systems manage resources better, making it more difficult to overflow tables, but still are vulnerable SYN flood can be used as part of other attacks, such as disabling one side of a connection in TCP hijacking, or by preventing authentication or logging between servers.

Defensive techniques: micro blocks Instead of allocating a complete connection object (which causes the memory failure), simply allocate a micro-record. Newer implementations allocate as little as 16-bytes for the incoming SYN object. SYN cookies Instead of allocating a record, send a SYN-ACK with a carefully constructed seqno generated as a hash of the clients IP address, port number, and other information. When the client responds with a normal ACK, that special seqno will be included, which the server then verifies. Thus, the server first allocates memory on the third packet of the handshake, not the first. However, the cryptographic hashing used in SYN cookies is fairly expensive, so servers that expect lots of incoming connections may choose not to use it. (Conversely, newer TCP stacks need to implement secure sequence numbers anyway in order to avoid TCP seqno prediction, so this is not necessarily a problem). RST cookies An alternative to SYN cookies, but may cause problems with Win95 machines and/or machines behind firewalls. The way this works is that the server sends a wrong SYNACK back to the client. The client should then generate a RST packet telling the server that something is wrong. At this point, the server knows the client is valid and will now accept incoming connections from that client normally. stack tweaking TCP stacks can be tweaked in order to reduce the effect of SYN floods. The most common example is to reduce the timeout

before a stack frees up the memory allocated for a connection. Another technique would be to selectively drop incoming connections.

DoS attack
Short for denial-of-service attack, a type of attack on a network that is designed to bring the network to its knees by flooding it with useless traffic. Many DoS attacks, such as the Ping of Death and Teardrop attacks, exploit limitations in the TCP/IP protocols. For all known DoS attacks, there are software fixes that system administrators can install to limit the damage caused by the attacks. But, like viruses, new DoS attacks are constantly being dreamed up by hackers.

DDoS attack
Short for Distributed Denial of Service, it is an attack where multiple compromised systems (which are usually infected with a Trojan) are used to target a single system causing a Denial of Service (DoS) attack. Victims of a DDoS attack consist of both the end targeted system and all systems maliciously used and controlled by the hacker in the distributed attack.

What is a Spoofing Attack?

Spoofing is when an attacker pretends to be someone else in order gain access to restricted resources or steal information. This type of attack can take a variety of different forms; for instance, an attacker can impersonate the Internet Protocol (IP) address of a legitimate user in order to get into their accounts. Also, an attacker may send fraudulent emails and set up fake websites in order to capture users login names, passwords, and account information. Faking an email or website is sometimes called a phishing attack. Another type of spoofing involves setting up a fake wireless access point and tricking victims into connecting to them through the illegitimate connection. IP addresses are similar to postal addresses and route information to the correct location across networks. Data is broken up and sent in pieces called packets. Each packet contains the senders and the recipients address. IP address spoofing is possible because an attacker can forge the senders address and make the packet appear to be coming from someone else. A common use of IP address spoofing is a denial of service attack where an attacker using spoofing to hide the source of their attack. Phishing attacks involve setting up fake websites or sending spam emails in an attempt to lure potential victims to fake websites. The sender field in an email can be changed easily and as long as the email message protocols are acceptable, the message will be delivered. A phishing site can look just like the real one, with the same color schemes, layout, and logos. A victim that attempts to use the site can unknowingly be submitting their personal data to criminals. Fake or rogue WIFI access point masquerading as well known brands in airports, train stations, financial institutions, and retail locations offer attackers a relatively simple way to steal data. Some tips to protect yourself when using public hotspots are to keep your wireless radio turned off until you are ready to use it, disable file and printer sharing, and set your wireless option to infrastructure networks only. Programs that update automatically can also be another avenue for a wireless spoofing attack; therefore, be sure to enable the ask me first feature before allowing your computer to download updates.

man in the middle attack (fire brigade attack)

Reprints A man in the middle attack is one in which the attacker intercepts messages in a public key exchange and then retransmits them, substituting his own public key for the requested one, so that the two original parties still appear to be communicating with each other.

The attack gets its name from the ball game where two people try to throw a ball directly to each other while one person in between them attempts to catch it. In a man in the middle attack, the intruder uses a program that appears to be the server to the client and appears to be the client to the server. The attack may be used simply to gain access to the message, or enable the attacker to modify the message before retransmitting it. Man in the middle attacks are sometimes known as fire brigade attacks. The term derives from the bucket brigade method of putting out a fire by handing buckets of water from one person to another between a water source and the fire. RSA algorithm (Rivest-Shamir-Adleman), data key, greynet (or graynet), spam cocktail (or anti-spam cocktail), fingerscanning (fingerprint scanning),munging, insider threat, authentication server, defense in depth, nonrepudiation
RELATED GLOSSARY TERMS:

What are replay attacks? Give an example of replay attack

Replay attacks are the network attacks in which an attacker spies the conversation between the sender and receiver and takes the authenticated information e.g. sharing key and then contact to the receiver with that key. In Replay attack the attacker gives the proof of his identity and authenticity. Example: Suppose in the communication of two parties A and B; A is sharing his key to B to prove his identity but in the meanwhile Attacker C eavesdrop the conversation between them and keeps the information which are needed to prove his identity to B. Later C contacts to B and prove its authenticity.

What is a DNS Poisoning Attack?

A Domain Name System (DNS) poisoning attack, also called DNS spoofing, is when an attacker is able to redirect a victim to different website than the address that he types into his browser. For example, a user types www.google.com into their browser, but instead of being directed to Googles servers he is instead is sent to a fraudulent site that may look like Googles site but is in actuality it is controlled by the attacker. The

attacker is able to do this by changing the Internet Protocol (IP) address that usually points to Google to the fake IP address of the attacker. The Domain Name System is needed so that networked machines can communicate with each other. Machines use a unique IP address to identify one another much the same way a street address is used to locate a business or home. However, people like words such Google, Yahoo, or YouTube instead of a difficult to remember IP address, like 67.13.142.130, which is easier for a machine to understand. Domain name servers are used to convert names to their corresponding IP address and vice versa. The DNS system is a massive database with billions of domain names and IP addresses. The system handles billions of requests everyday as people surf the internet, send email, a create new websites. Even though the DNS system is distributed around the world, it acts like a single system. An attack can happen by modifying the host tables that are stored on local computers. The host table is list of domains and IP addresses that are used to find the correct IP address when a user enters a domain site name. If the so-called host table name system does not have the correct IP address stored locally then it contacts an external DNS for the correct IP address. If an attacker is able to compromise the entries within the host table then they can direct websites names to any IP address they wish. Another method of performing a DNS Poisoning Attack is to target the external DNS servers themselves. External DNS servers exchange information, including name and IP mapping, with each other using zone transfers. Attackers can set up a DNS server with fake IP address entries so that if the targeted DNS server accepts the zone transfer as authentic, it will then use and distribute the fake IP address assignments to other DNS servers. One way to prevent a DNS poisoning attack is to ensure that the latest version of the DNS software, called Berkley Internet Name Domain (BIND), is installed.